b504bc57bfe2a1fe0cd9003c9a83af156b71da659547276fb22ef5a07b398685

Analysis

max time kernel
58s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
14/10/2022, 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b504bc57bfe2a1fe0cd9003c9a83af156b71da659547276fb22ef5a07b398685.exe
Size

2.0MB
MD5

6a9ecae73e03c232e6a8a2fd7721aadb
SHA1

ccb49814d1d47518383d07479683cc3d4d86e8df
SHA256

b504bc57bfe2a1fe0cd9003c9a83af156b71da659547276fb22ef5a07b398685
SHA512

54eab337adf92625c90c5b429f08cb41ac40ed8aa4d44f6f008a086e691f856dd45a7cbfd7464cd39d9808b012c248a2af23e12ea8d1cd96c3b9e12498b6022d
SSDEEP

24576:yDyTFtjBDyTFtjsDyTFtjBDyTFtjmDyTFtjBDyTFtjtDyTFtjBDyTFtjsDyTFtjB:/tqthtqtHtqt+tqthtqtHtqt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1240	tmp7082258.exe
1732	tmp7082429.exe
2032	tmp7082601.exe
432	tmp7082850.exe
892	notpad.exe
1800	tmp7083521.exe
572	tmp7083552.exe
948	notpad.exe
1576	tmp7083771.exe
1960	tmp7083927.exe
624	notpad.exe
1352	tmp7085284.exe
996	tmp7085596.exe
1712	notpad.exe
1568	tmp7087375.exe
1572	tmp7087858.exe
1972	notpad.exe
276	tmp7088420.exe
1132	tmp7088357.exe
2036	tmp7088529.exe
1976	notpad.exe
1284	tmp7088482.exe
1176	tmp7088669.exe
860	tmp7088654.exe
1760	tmp7088747.exe
884	notpad.exe
1476	tmp7088794.exe
1016	tmp7088919.exe
1612	tmp7089059.exe
1772	tmp7089028.exe
392	notpad.exe
596	tmp7089325.exe
948	tmp7089137.exe
824	notpad.exe
1812	tmp7090417.exe
680	tmp7091009.exe
2016	tmp7091165.exe
1044	tmp7091368.exe
1120	tmp7091321.exe
1624	notpad.exe
1672	tmp7091696.exe
996	tmp7091446.exe
1928	tmp7091992.exe
944	tmp7091805.exe
1400	tmp7092133.exe
1260	notpad.exe
1264	tmp7092086.exe
560	tmp7092507.exe
1564	tmp7092554.exe
1588	tmp7092632.exe
2032	notpad.exe
452	tmp7092725.exe
580	tmp7093022.exe
1652	tmp7093256.exe
1372	notpad.exe
1976	tmp7093381.exe
1692	tmp7093708.exe
284	tmp7093817.exe
1476	notpad.exe
1160	tmp7094036.exe
1512	notpad.exe
1576	tmp7094379.exe
884	tmp7094535.exe
900	tmp7094769.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000122d6-61.dat	upx
behavioral1/files/0x000b0000000122d6-59.dat	upx
behavioral1/files/0x000b0000000122d6-58.dat	upx
behavioral1/files/0x000b0000000122d6-64.dat	upx
behavioral1/memory/1204-63-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1732-74-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000122e2-83.dat	upx
behavioral1/files/0x00090000000122e2-96.dat	upx
behavioral1/files/0x00090000000122e2-97.dat	upx
behavioral1/files/0x00090000000122e2-100.dat	upx
behavioral1/files/0x00090000000122e2-120.dat	upx
behavioral1/files/0x00090000000122e2-118.dat	upx
behavioral1/files/0x00090000000122e2-116.dat	upx
behavioral1/memory/948-112-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000122e0-107.dat	upx
behavioral1/files/0x00080000000122e0-127.dat	upx
behavioral1/files/0x00080000000122e0-91.dat	upx
behavioral1/memory/892-99-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000122e2-82.dat	upx
behavioral1/files/0x00090000000122e2-80.dat	upx
behavioral1/files/0x00090000000122e2-79.dat	upx
behavioral1/memory/624-133-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000a0000000122e2-134.dat	upx
behavioral1/files/0x000a0000000122e2-137.dat	upx
behavioral1/files/0x000a0000000122e2-135.dat	upx
behavioral1/files/0x000a0000000122e2-138.dat	upx
behavioral1/files/0x00080000000122e0-144.dat	upx
behavioral1/files/0x00080000000122f5-147.dat	upx
behavioral1/files/0x00080000000122f5-150.dat	upx
behavioral1/memory/1712-151-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000122f5-148.dat	upx
behavioral1/memory/1572-161-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1972-162-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1976-165-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1284-167-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1976-172-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1284-173-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1760-179-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/884-185-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/392-186-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/884-188-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/392-192-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/948-198-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1812-206-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/824-205-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/996-213-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1624-217-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1624-218-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1264-225-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1260-229-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2032-236-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/452-239-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1372-241-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1976-243-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1976-252-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1372-253-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1476-254-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1512-257-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1520-259-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/428-260-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1576-261-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/948-262-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1520-265-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1576-266-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
1204	b504bc57bfe2a1fe0cd9003c9a83af156b71da659547276fb22ef5a07b398685.exe
1204	b504bc57bfe2a1fe0cd9003c9a83af156b71da659547276fb22ef5a07b398685.exe
1204	b504bc57bfe2a1fe0cd9003c9a83af156b71da659547276fb22ef5a07b398685.exe
1204	b504bc57bfe2a1fe0cd9003c9a83af156b71da659547276fb22ef5a07b398685.exe
1732	tmp7082429.exe
1732	tmp7082429.exe
1732	tmp7082429.exe
1732	tmp7082429.exe
520	WerFault.exe
520	WerFault.exe
1240	tmp7082258.exe
1240	tmp7082258.exe
892	notpad.exe
892	notpad.exe
892	notpad.exe
1800	tmp7083521.exe
1800	tmp7083521.exe
948	notpad.exe
948	notpad.exe
948	notpad.exe
520	WerFault.exe
1576	tmp7083771.exe
1576	tmp7083771.exe
624	notpad.exe
624	notpad.exe
624	notpad.exe
1352	tmp7085284.exe
1352	tmp7085284.exe
1712	notpad.exe
1712	notpad.exe
1712	notpad.exe
1712	notpad.exe
1568	tmp7087375.exe
1568	tmp7087375.exe
1572	tmp7087858.exe
1572	tmp7087858.exe
1972	notpad.exe
1972	notpad.exe
1572	tmp7087858.exe
276	tmp7088420.exe
276	tmp7088420.exe
1972	notpad.exe
1972	notpad.exe
1976	notpad.exe
1284	tmp7088482.exe
1284	tmp7088482.exe
1976	notpad.exe
1976	notpad.exe
1176	tmp7088669.exe
1976	notpad.exe
1284	tmp7088482.exe
1176	tmp7088669.exe
1760	tmp7088747.exe
1760	tmp7088747.exe
884	notpad.exe
1760	tmp7088747.exe
884	notpad.exe
1016	tmp7088919.exe
1016	tmp7088919.exe
392	notpad.exe
392	notpad.exe
884	notpad.exe
884	notpad.exe
596	tmp7089325.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7122724.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7091992.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7133878.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7140727.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7194781.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7083521.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7142256.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7176498.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7088420.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7150009.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7140727.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7144268.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7203346.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7176498.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7122724.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7140618.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7182270.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7203346.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7093256.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7088919.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7082258.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7096079.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7091992.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7150009.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7119760.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7140618.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7194781.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7203346.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7096079.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7093256.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7104254.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7139666.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7158885.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7144268.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7182270.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7082258.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7176498.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7109090.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7144268.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7093022.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7124238.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7092507.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7148496.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7140727.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7165952.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7120369.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7083771.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7149011.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7184594.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7083521.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7092507.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7093817.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7141210.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7151569.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
520	432	WerFault.exe

Modifies registry class 57 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7100775.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7083521.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7088420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7109090.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7144268.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7182270.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7176498.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7092507.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7174220.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7203346.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7091009.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7122724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7119760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7165952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7148730.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7182941.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7105003.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7142256.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7108185.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7195468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7082258.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7141210.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7151569.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7140618.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7175000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7088919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7140228.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7120369.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7184594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7083771.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7093256.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7094036.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7104254.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7149011.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7140727.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7194781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7089325.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7093022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7093817.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7126188.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7150009.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7158885.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7088669.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7091992.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7096079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7133878.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7139666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7085284.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7087375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7124238.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7148496.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 1240	1204	b504bc57bfe2a1fe0cd9003c9a83af156b71da659547276fb22ef5a07b398685.exe	28
PID 1204 wrote to memory of 1240	1204	b504bc57bfe2a1fe0cd9003c9a83af156b71da659547276fb22ef5a07b398685.exe	28
PID 1204 wrote to memory of 1240	1204	b504bc57bfe2a1fe0cd9003c9a83af156b71da659547276fb22ef5a07b398685.exe	28
PID 1204 wrote to memory of 1240	1204	b504bc57bfe2a1fe0cd9003c9a83af156b71da659547276fb22ef5a07b398685.exe	28
PID 1204 wrote to memory of 1732	1204	b504bc57bfe2a1fe0cd9003c9a83af156b71da659547276fb22ef5a07b398685.exe	29
PID 1204 wrote to memory of 1732	1204	b504bc57bfe2a1fe0cd9003c9a83af156b71da659547276fb22ef5a07b398685.exe	29
PID 1204 wrote to memory of 1732	1204	b504bc57bfe2a1fe0cd9003c9a83af156b71da659547276fb22ef5a07b398685.exe	29
PID 1204 wrote to memory of 1732	1204	b504bc57bfe2a1fe0cd9003c9a83af156b71da659547276fb22ef5a07b398685.exe	29
PID 1732 wrote to memory of 2032	1732	tmp7082429.exe	32
PID 1732 wrote to memory of 2032	1732	tmp7082429.exe	32
PID 1732 wrote to memory of 2032	1732	tmp7082429.exe	32
PID 1732 wrote to memory of 2032	1732	tmp7082429.exe	32
PID 1732 wrote to memory of 432	1732	tmp7082429.exe	31
PID 1732 wrote to memory of 432	1732	tmp7082429.exe	31
PID 1732 wrote to memory of 432	1732	tmp7082429.exe	31
PID 1732 wrote to memory of 432	1732	tmp7082429.exe	31
PID 432 wrote to memory of 520	432	tmp7082850.exe	30
PID 432 wrote to memory of 520	432	tmp7082850.exe	30
PID 432 wrote to memory of 520	432	tmp7082850.exe	30
PID 432 wrote to memory of 520	432	tmp7082850.exe	30
PID 1240 wrote to memory of 892	1240	tmp7082258.exe	33
PID 1240 wrote to memory of 892	1240	tmp7082258.exe	33
PID 1240 wrote to memory of 892	1240	tmp7082258.exe	33
PID 1240 wrote to memory of 892	1240	tmp7082258.exe	33
PID 892 wrote to memory of 1800	892	notpad.exe	41
PID 892 wrote to memory of 1800	892	notpad.exe	41
PID 892 wrote to memory of 1800	892	notpad.exe	41
PID 892 wrote to memory of 1800	892	notpad.exe	41
PID 892 wrote to memory of 572	892	notpad.exe	34
PID 892 wrote to memory of 572	892	notpad.exe	34
PID 892 wrote to memory of 572	892	notpad.exe	34
PID 892 wrote to memory of 572	892	notpad.exe	34
PID 1800 wrote to memory of 948	1800	tmp7083521.exe	40
PID 1800 wrote to memory of 948	1800	tmp7083521.exe	40
PID 1800 wrote to memory of 948	1800	tmp7083521.exe	40
PID 1800 wrote to memory of 948	1800	tmp7083521.exe	40
PID 948 wrote to memory of 1576	948	notpad.exe	35
PID 948 wrote to memory of 1576	948	notpad.exe	35
PID 948 wrote to memory of 1576	948	notpad.exe	35
PID 948 wrote to memory of 1576	948	notpad.exe	35
PID 948 wrote to memory of 1960	948	notpad.exe	38
PID 948 wrote to memory of 1960	948	notpad.exe	38
PID 948 wrote to memory of 1960	948	notpad.exe	38
PID 948 wrote to memory of 1960	948	notpad.exe	38
PID 1576 wrote to memory of 624	1576	tmp7083771.exe	37
PID 1576 wrote to memory of 624	1576	tmp7083771.exe	37
PID 1576 wrote to memory of 624	1576	tmp7083771.exe	37
PID 1576 wrote to memory of 624	1576	tmp7083771.exe	37
PID 624 wrote to memory of 1352	624	notpad.exe	36
PID 624 wrote to memory of 1352	624	notpad.exe	36
PID 624 wrote to memory of 1352	624	notpad.exe	36
PID 624 wrote to memory of 1352	624	notpad.exe	36
PID 624 wrote to memory of 996	624	notpad.exe	39
PID 624 wrote to memory of 996	624	notpad.exe	39
PID 624 wrote to memory of 996	624	notpad.exe	39
PID 624 wrote to memory of 996	624	notpad.exe	39
PID 1352 wrote to memory of 1712	1352	tmp7085284.exe	42
PID 1352 wrote to memory of 1712	1352	tmp7085284.exe	42
PID 1352 wrote to memory of 1712	1352	tmp7085284.exe	42
PID 1352 wrote to memory of 1712	1352	tmp7085284.exe	42
PID 1712 wrote to memory of 1568	1712	notpad.exe	43
PID 1712 wrote to memory of 1568	1712	notpad.exe	43
PID 1712 wrote to memory of 1568	1712	notpad.exe	43
PID 1712 wrote to memory of 1568	1712	notpad.exe	43

C:\Users\Admin\AppData\Local\Temp\b504bc57bfe2a1fe0cd9003c9a83af156b71da659547276fb22ef5a07b398685.exe
"C:\Users\Admin\AppData\Local\Temp\b504bc57bfe2a1fe0cd9003c9a83af156b71da659547276fb22ef5a07b398685.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\tmp7082258.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7082258.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Users\Admin\AppData\Local\Temp\tmp7083552.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7083552.exe
      4⤵
      Executes dropped EXE
      PID:572
  - - C:\Users\Admin\AppData\Local\Temp\tmp7083521.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7083521.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1800
- C:\Users\Admin\AppData\Local\Temp\tmp7082429.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7082429.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\tmp7082850.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7082850.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:432
- - C:\Users\Admin\AppData\Local\Temp\tmp7082601.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7082601.exe
    3⤵
    - Executes dropped EXE
    PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 36
1⤵
- Loads dropped DLL
- Program crash
PID:520

C:\Users\Admin\AppData\Local\Temp\tmp7083771.exe
C:\Users\Admin\AppData\Local\Temp\tmp7083771.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Users\Admin\AppData\Local\Temp\tmp7085596.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7085596.exe
    3⤵
    - Executes dropped EXE
    PID:996

C:\Users\Admin\AppData\Local\Temp\tmp7085284.exe
C:\Users\Admin\AppData\Local\Temp\tmp7085284.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\tmp7087375.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7087375.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:1568
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1972
    - - C:\Users\Admin\AppData\Local\Temp\tmp7088420.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088420.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:276
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088669.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088669.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089028.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089028.exe
        9⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089137.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089137.exe
        9⤵
        Executes dropped EXE
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091009.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091009.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091805.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091805.exe
        12⤵
        Executes dropped EXE
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092086.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092086.exe
        12⤵
        Executes dropped EXE
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092507.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092507.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093022.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093022.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093817.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093817.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:284
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        Executes dropped EXE
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094863.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094863.exe
        19⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095253.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095253.exe
        19⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096423.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096423.exe
        20⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100775.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100775.exe
        22⤵
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103224.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103224.exe
        24⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103552.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103552.exe
        24⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104254.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104254.exe
        25⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105970.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105970.exe
        27⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106204.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106204.exe
        27⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106625.exe
        28⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106999.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106999.exe
        28⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105049.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105049.exe
        25⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102148.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102148.exe
        22⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102959.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102959.exe
        23⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103614.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103614.exe
        23⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099652.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099652.exe
        20⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094379.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094379.exe
        17⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095237.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095237.exe
        18⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096844.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096844.exe
        20⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099667.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099667.exe
        20⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100728.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100728.exe
        21⤵
        
        PID:276
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102491.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102491.exe
        23⤵
        
        PID:892
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103942.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103942.exe
        25⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105003.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105003.exe
        25⤵
        Modifies registry class
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105767.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105767.exe
        26⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106469.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106469.exe
        26⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103365.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103365.exe
        23⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104020.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104020.exe
        24⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105471.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105471.exe
        26⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106687.exe
        28⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108169.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108169.exe
        30⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108809.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108809.exe
        30⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109433.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109433.exe
        31⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109714.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109714.exe
        31⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107015.exe
        28⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108185.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108185.exe
        29⤵
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109090.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109090.exe
        31⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110026.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110026.exe
        33⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110541.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110541.exe
        35⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110775.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110775.exe
        35⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112693.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112693.exe
        36⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113863.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113863.exe
        38⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114628.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114628.exe
        40⤵
        
        PID:552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:276
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115330.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115330.exe
        42⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116360.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116360.exe
        44⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116828.exe
        44⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117171.exe
        45⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117452.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117452.exe
        45⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115642.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115642.exe
        42⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116126.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116126.exe
        43⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        44⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117015.exe
        45⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        46⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117966.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117966.exe
        47⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119464.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119464.exe
        47⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119963.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119963.exe
        48⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120369.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120369.exe
        48⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117264.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117264.exe
        45⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117920.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117920.exe
        46⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119760.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119760.exe
        48⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120728.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120728.exe
        50⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121367.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121367.exe
        52⤵
        
        PID:944
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122397.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122397.exe
        54⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122678.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122678.exe
        54⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123770.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123770.exe
        55⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125158.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125158.exe
        57⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126141.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126141.exe
        57⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127451.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127451.exe
        58⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127919.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127919.exe
        58⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123926.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123926.exe
        55⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121695.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121695.exe
        52⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122100.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122100.exe
        53⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:276
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123161.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123161.exe
        55⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123504.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123504.exe
        55⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125033.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125033.exe
        56⤵
        
        PID:956
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127264.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127264.exe
        58⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128309.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128309.exe
        58⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128902.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128902.exe
        59⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129183.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129183.exe
        59⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125330.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125330.exe
        56⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122490.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122490.exe
        53⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120977.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120977.exe
        50⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121742.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121742.exe
        51⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122724.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122724.exe
        53⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123988.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123988.exe
        55⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124284.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124284.exe
        55⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126188.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126188.exe
        56⤵
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128668.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128668.exe
        58⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129370.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129370.exe
        60⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130259.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130259.exe
        62⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130368.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130368.exe
        62⤵
        
        PID:276
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130727.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130727.exe
        63⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131055.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131055.exe
        63⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186170.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186170.exe
        62⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129744.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129744.exe
        60⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129978.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129978.exe
        61⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        62⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130696.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130696.exe
        63⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        64⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131226.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131226.exe
        65⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        66⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132147.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132147.exe
        67⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132849.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132849.exe
        67⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133488.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133488.exe
        68⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        69⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135345.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135345.exe
        70⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        71⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136062.exe
        72⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136671.exe
        72⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138293.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138293.exe
        73⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138465.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138465.exe
        73⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135594.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135594.exe
        70⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135766.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135766.exe
        71⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        72⤵
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138137.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138137.exe
        73⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        74⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138948.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138948.exe
        75⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        76⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139978.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139978.exe
        77⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140368.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140368.exe
        77⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140618.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140618.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        79⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141366.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141366.exe
        80⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        81⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143457.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143457.exe
        82⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        83⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144268.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144268.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144658.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144658.exe
        84⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146000.exe
        85⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        86⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146920.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146920.exe
        87⤵
        
        PID:956
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        88⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148199.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148199.exe
        89⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        90⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148917.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148917.exe
        91⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149775.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149775.exe
        91⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150929.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150929.exe
        92⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151616.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151616.exe
        92⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148465.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148465.exe
        89⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149011.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149011.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        91⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149900.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149900.exe
        92⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        93⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151054.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151054.exe
        94⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151569.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151569.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153254.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153254.exe
        95⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        96⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154159.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154159.exe
        97⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        98⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155344.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155344.exe
        99⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        100⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157996.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157996.exe
        101⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158885.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158885.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160570.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160570.exe
        102⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161959.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161959.exe
        102⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156561.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156561.exe
        99⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157481.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157481.exe
        100⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        101⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160477.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160477.exe
        102⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161787.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161787.exe
        104⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        105⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167777.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167777.exe
        106⤵
        
        PID:428
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        107⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171740.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171740.exe
        108⤵
        
        PID:944
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        109⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175094.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175094.exe
        110⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177059.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177059.exe
        110⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179103.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179103.exe
        111⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        112⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182270.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182270.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        114⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184594.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184594.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186139.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186139.exe
        115⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188260.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188260.exe
        116⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188650.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188650.exe
        116⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183050.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183050.exe
        113⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184126.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184126.exe
        114⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185140.exe
        114⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180850.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180850.exe
        111⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172005.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172005.exe
        108⤵
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176498.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176498.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177153.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177153.exe
        109⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170741.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170741.exe
        106⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172395.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172395.exe
        107⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        108⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179337.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179337.exe
        109⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181053.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181053.exe
        109⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183612.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183612.exe
        110⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        111⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185328.exe
        112⤵
        
        PID:596
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        113⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186934.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186934.exe
        114⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        115⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189789.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189789.exe
        116⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190772.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190772.exe
        116⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191989.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191989.exe
        117⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        118⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193206.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193206.exe
        119⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        120⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194781.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194875.exe
        121⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195234.exe
        122⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        123⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197386.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197386.exe
        124⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198307.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198307.exe
        124⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199617.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199617.exe
        125⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        126⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206715.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206715.exe
        127⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207370.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207370.exe
        127⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208057.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208057.exe
        128⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208681.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208681.exe
        128⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203346.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203346.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195982.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195982.exe
        122⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193720.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193720.exe
        119⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194578.exe
        120⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195468.exe
        120⤵
        Modifies registry class
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192472.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192472.exe
        117⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187496.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187496.exe
        114⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189649.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189649.exe
        115⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        116⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191568.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191568.exe
        117⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192426.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192426.exe
        117⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193908.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193908.exe
        118⤵
        
        PID:960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        119⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195639.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195639.exe
        120⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        121⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198962.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198962.exe
        122⤵
        
        PID:428
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        123⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201739.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201739.exe
        124⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        125⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210241.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210241.exe
        126⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        127⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219882.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219882.exe
        128⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222877.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222877.exe
        128⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216980.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216980.exe
        126⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219617.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219617.exe
        127⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        128⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229211.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229211.exe
        129⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220693.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220693.exe
        127⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207308.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207308.exe
        124⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209555.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209555.exe
        125⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213891.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213891.exe
        125⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199102.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199102.exe
        122⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200553.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200553.exe
        123⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201427.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201427.exe
        123⤵
        
        PID:276
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196669.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196669.exe
        120⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199243.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199243.exe
        121⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201926.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201926.exe
        123⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203377.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203377.exe
        123⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207916.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207916.exe
        124⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        125⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216294.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216294.exe
        126⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        127⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222503.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222503.exe
        128⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218696.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218696.exe
        126⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223142.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223142.exe
        127⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        128⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229538.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229538.exe
        127⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209508.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209508.exe
        124⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200475.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200475.exe
        121⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194344.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194344.exe
        118⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190366.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190366.exe
        115⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185468.exe
        112⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186435.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186435.exe
        113⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184423.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184423.exe
        110⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176654.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176654.exe
        107⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162286.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162286.exe
        104⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164049.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164049.exe
        105⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165952.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165952.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160539.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160539.exe
        102⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161693.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161693.exe
        103⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162052.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162052.exe
        103⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158573.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158573.exe
        100⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154736.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154736.exe
        97⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155609.exe
        98⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156733.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156733.exe
        98⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153425.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153425.exe
        95⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150009.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150009.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151007.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151007.exe
        93⤵
        
        PID:624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        94⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152177.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152177.exe
        95⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153644.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153644.exe
        97⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        98⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154876.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154876.exe
        99⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        100⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156779.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156779.exe
        101⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157715.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157715.exe
        101⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158729.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158729.exe
        102⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159213.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159213.exe
        102⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155297.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155297.exe
        99⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155687.exe
        100⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        101⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160570.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160570.exe
        102⤵
        
        PID:820
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        103⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165890.exe
        104⤵
        
        PID:596
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        105⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171116.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171116.exe
        106⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171475.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171475.exe
        106⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172395.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172395.exe
        107⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176404.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176404.exe
        107⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170336.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170336.exe
        104⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171849.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171849.exe
        105⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174220.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174220.exe
        105⤵
        Modifies registry class
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161974.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161974.exe
        102⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162333.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162333.exe
        103⤵
        
        PID:304
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        104⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170367.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170367.exe
        105⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170773.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170773.exe
        105⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172270.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172270.exe
        106⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        107⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177184.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177184.exe
        108⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180975.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180975.exe
        108⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181771.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181771.exe
        109⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182941.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182941.exe
        109⤵
        Modifies registry class
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175000.exe
        106⤵
        Modifies registry class
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166202.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166202.exe
        103⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157637.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157637.exe
        100⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153925.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153925.exe
        97⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154252.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154252.exe
        98⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155063.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155063.exe
        98⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153113.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153113.exe
        95⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153691.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153691.exe
        96⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154174.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154174.exe
        96⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151257.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151257.exe
        93⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149104.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149104.exe
        90⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147248.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147248.exe
        87⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147607.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147607.exe
        88⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        89⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148496.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148496.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148730.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148730.exe
        90⤵
        Modifies registry class
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149884.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149884.exe
        91⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149978.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149978.exe
        91⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148137.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148137.exe
        88⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146327.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146327.exe
        85⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143769.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143769.exe
        82⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144112.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144112.exe
        83⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        84⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146296.exe
        85⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146405.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146405.exe
        85⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147029.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147029.exe
        86⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147388.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147388.exe
        86⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144377.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144377.exe
        83⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141756.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141756.exe
        80⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142521.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142521.exe
        81⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        82⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143862.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143862.exe
        83⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143987.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143987.exe
        83⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144393.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144393.exe
        84⤵
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145391.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145391.exe
        84⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142568.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142568.exe
        81⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140914.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140914.exe
        78⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139666.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139666.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140103.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140103.exe
        76⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140727.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140727.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138449.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138449.exe
        73⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139791.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139791.exe
        74⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        75⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140836.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140836.exe
        76⤵
        
        PID:948
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        77⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141912.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141912.exe
        78⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142209.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142209.exe
        78⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143301.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143301.exe
        79⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143441.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143441.exe
        79⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141210.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141210.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141694.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141694.exe
        77⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142256.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142256.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140228.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140228.exe
        74⤵
        Modifies registry class
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136203.exe
        71⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131616.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131616.exe
        65⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132100.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132100.exe
        66⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        67⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133161.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133161.exe
        68⤵
        
        PID:304
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        69⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133691.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133691.exe
        70⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133878.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133878.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134970.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134970.exe
        71⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        72⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135672.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135672.exe
        73⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135813.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135813.exe
        73⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136250.exe
        74⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136686.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136686.exe
        74⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135298.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135298.exe
        71⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133348.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133348.exe
        68⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133863.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133863.exe
        69⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134580.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134580.exe
        69⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132287.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132287.exe
        66⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130790.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130790.exe
        63⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131570.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131570.exe
        64⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131741.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131741.exe
        64⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130150.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130150.exe
        61⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128996.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128996.exe
        58⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129510.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129510.exe
        59⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129838.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129838.exe
        59⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127904.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127904.exe
        56⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123333.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123333.exe
        53⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124238.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124238.exe
        54⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125142.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125142.exe
        54⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122225.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122225.exe
        51⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120119.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120119.exe
        48⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120868.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120868.exe
        49⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121164.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121164.exe
        49⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118076.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118076.exe
        46⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116594.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116594.exe
        43⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114909.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114909.exe
        40⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115361.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115361.exe
        41⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115689.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115689.exe
        41⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114222.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114222.exe
        38⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114721.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114721.exe
        39⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115127.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115127.exe
        39⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113146.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113146.exe
        36⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110182.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110182.exe
        33⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110868.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110868.exe
        34⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111477.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111477.exe
        34⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109464.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109464.exe
        31⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110307.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110307.exe
        32⤵
        
        PID:392
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110993.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110993.exe
        34⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113161.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113161.exe
        36⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113489.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113489.exe
        36⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114066.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114066.exe
        37⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114160.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114160.exe
        37⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112709.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112709.exe
        34⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113208.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113208.exe
        35⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113583.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113583.exe
        35⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110494.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110494.exe
        32⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108513.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108513.exe
        29⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106157.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106157.exe
        26⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107311.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107311.exe
        27⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107701.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107701.exe
        27⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104800.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104800.exe
        24⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101415.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101415.exe
        21⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096126.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096126.exe
        18⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093381.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093381.exe
        15⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094036.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094036.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096079.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096079.exe
        18⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098669.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098669.exe
        20⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099933.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099933.exe
        20⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101602.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101602.exe
        21⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102304.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102304.exe
        21⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096360.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096360.exe
        18⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098716.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098716.exe
        19⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099855.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099855.exe
        19⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094769.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094769.exe
        16⤵
        Executes dropped EXE
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092632.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092632.exe
        13⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091321.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091321.exe
        10⤵
        Executes dropped EXE
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088747.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088747.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088919.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088919.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089325.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089325.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:596
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091165.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091165.exe
        12⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091446.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091446.exe
        12⤵
        Executes dropped EXE
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091992.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091992.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        Executes dropped EXE
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092554.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092554.exe
        15⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092725.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092725.exe
        15⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093256.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093256.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094535.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094535.exe
        18⤵
        Executes dropped EXE
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095003.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095003.exe
        18⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096001.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096001.exe
        19⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093708.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093708.exe
        16⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092133.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092133.exe
        13⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090417.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090417.exe
        10⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091368.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091368.exe
        11⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091696.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091696.exe
        11⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089059.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089059.exe
        8⤵
        Executes dropped EXE
        
        PID:1612
    - - C:\Users\Admin\AppData\Local\Temp\tmp7088482.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088482.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1284
      - C:\Users\Admin\AppData\Local\Temp\tmp7088654.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088654.exe
        6⤵
        Executes dropped EXE
        
        PID:860
      - C:\Users\Admin\AppData\Local\Temp\tmp7088794.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088794.exe
        6⤵
        Executes dropped EXE
        
        PID:1476
- - C:\Users\Admin\AppData\Local\Temp\tmp7087858.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7087858.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\tmp7088357.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7088357.exe
      4⤵
      Executes dropped EXE
      PID:1132
  - - C:\Users\Admin\AppData\Local\Temp\tmp7088529.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7088529.exe
      4⤵
      Executes dropped EXE
      PID:2036

C:\Users\Admin\AppData\Local\Temp\tmp7083927.exe
C:\Users\Admin\AppData\Local\Temp\tmp7083927.exe
1⤵
- Executes dropped EXE
PID:1960

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7082258.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7082258.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7082429.exe

Filesize
1.1MB

MD5
71bd481cde249f5731581fa406fa4fdd

SHA1
bce7675ca2701415152e7f107b857864d8c03c17

SHA256
02159100c42f3c32729d03bfcd31c1f7a10f215838d7c95191a128eda718caf7

SHA512
fcbc064e59a007c76fab8bcd161153f616f309076564af4d1112c0a339e9664eb7fb82d4cbac4c5b314f8229fac2d42b4b7f9228eb3d1c3a69c7f82b590c1154

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7082429.exe

Filesize
1.1MB

MD5
71bd481cde249f5731581fa406fa4fdd

SHA1
bce7675ca2701415152e7f107b857864d8c03c17

SHA256
02159100c42f3c32729d03bfcd31c1f7a10f215838d7c95191a128eda718caf7

SHA512
fcbc064e59a007c76fab8bcd161153f616f309076564af4d1112c0a339e9664eb7fb82d4cbac4c5b314f8229fac2d42b4b7f9228eb3d1c3a69c7f82b590c1154

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7082601.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7082850.exe

Filesize
136KB

MD5
2fab25065e415a61ac0fe2c4410d68a1

SHA1
7d511ea006c40d830bc1dbd5ad1b034222fc3a7b

SHA256
0c7489e15ee4424649cb044200fd6315756999da96a035128144c3d58a82a8ab

SHA512
3911e7f387f7c4855c87d621e32afd85e8873b4460a7be3e7d8bea4a84c60174724b8af672da3eff8d9958739157e62cb6d477c44f9256b5326d123c8aa96ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7083521.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7083521.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7083552.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7083771.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7083771.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7083927.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7085284.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7085284.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7085596.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7087375.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7087375.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7087858.exe

Filesize
1.1MB

MD5
74d6026d4da17211f7b5d28cc6f63154

SHA1
e9b83f9026b4ee38822e6f40a7baa4df8844cf1c

SHA256
2053fd14c8a0b9c5d291a1bceaf010faba146b641ec3151c23ad600d98f98c3d

SHA512
1be1dc43899b703412044d8913793558ceecf60927bc54b927b6162d456eef5eefa9fe4e4b166236d1b70fc762afec2a5754ea8e994a18b3080f23f6ccac9b1f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.1MB

MD5
74d6026d4da17211f7b5d28cc6f63154

SHA1
e9b83f9026b4ee38822e6f40a7baa4df8844cf1c

SHA256
2053fd14c8a0b9c5d291a1bceaf010faba146b641ec3151c23ad600d98f98c3d

SHA512
1be1dc43899b703412044d8913793558ceecf60927bc54b927b6162d456eef5eefa9fe4e4b166236d1b70fc762afec2a5754ea8e994a18b3080f23f6ccac9b1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.1MB

MD5
74d6026d4da17211f7b5d28cc6f63154

SHA1
e9b83f9026b4ee38822e6f40a7baa4df8844cf1c

SHA256
2053fd14c8a0b9c5d291a1bceaf010faba146b641ec3151c23ad600d98f98c3d

SHA512
1be1dc43899b703412044d8913793558ceecf60927bc54b927b6162d456eef5eefa9fe4e4b166236d1b70fc762afec2a5754ea8e994a18b3080f23f6ccac9b1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.1MB

MD5
74d6026d4da17211f7b5d28cc6f63154

SHA1
e9b83f9026b4ee38822e6f40a7baa4df8844cf1c

SHA256
2053fd14c8a0b9c5d291a1bceaf010faba146b641ec3151c23ad600d98f98c3d

SHA512
1be1dc43899b703412044d8913793558ceecf60927bc54b927b6162d456eef5eefa9fe4e4b166236d1b70fc762afec2a5754ea8e994a18b3080f23f6ccac9b1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.1MB

MD5
74d6026d4da17211f7b5d28cc6f63154

SHA1
e9b83f9026b4ee38822e6f40a7baa4df8844cf1c

SHA256
2053fd14c8a0b9c5d291a1bceaf010faba146b641ec3151c23ad600d98f98c3d

SHA512
1be1dc43899b703412044d8913793558ceecf60927bc54b927b6162d456eef5eefa9fe4e4b166236d1b70fc762afec2a5754ea8e994a18b3080f23f6ccac9b1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
2.0MB

MD5
1b078c1a451ae9b22c8dd608da2728f6

SHA1
ef65d3c030c3971b0a374de9279f205de04c4a4e

SHA256
0faf678a6d8e62d1c2dd436c7db9c4c80205bbf36d015f7fe040acfea85cc232

SHA512
d194d501f8960506ed4ac6aaf8cc5b223abeb9fd9aefde77dc5097d28b559722f7ebab5c2b91910ee47c0db4f0aa48dc9d113f3b62ee19f59b0a89081ca18b46

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
2.0MB

MD5
1b078c1a451ae9b22c8dd608da2728f6

SHA1
ef65d3c030c3971b0a374de9279f205de04c4a4e

SHA256
0faf678a6d8e62d1c2dd436c7db9c4c80205bbf36d015f7fe040acfea85cc232

SHA512
d194d501f8960506ed4ac6aaf8cc5b223abeb9fd9aefde77dc5097d28b559722f7ebab5c2b91910ee47c0db4f0aa48dc9d113f3b62ee19f59b0a89081ca18b46

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7082258.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7082258.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7082429.exe

Filesize
1.1MB

MD5
71bd481cde249f5731581fa406fa4fdd

SHA1
bce7675ca2701415152e7f107b857864d8c03c17

SHA256
02159100c42f3c32729d03bfcd31c1f7a10f215838d7c95191a128eda718caf7

SHA512
fcbc064e59a007c76fab8bcd161153f616f309076564af4d1112c0a339e9664eb7fb82d4cbac4c5b314f8229fac2d42b4b7f9228eb3d1c3a69c7f82b590c1154

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7082429.exe

Filesize
1.1MB

MD5
71bd481cde249f5731581fa406fa4fdd

SHA1
bce7675ca2701415152e7f107b857864d8c03c17

SHA256
02159100c42f3c32729d03bfcd31c1f7a10f215838d7c95191a128eda718caf7

SHA512
fcbc064e59a007c76fab8bcd161153f616f309076564af4d1112c0a339e9664eb7fb82d4cbac4c5b314f8229fac2d42b4b7f9228eb3d1c3a69c7f82b590c1154

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7082601.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7082601.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7082850.exe

Filesize
136KB

MD5
2fab25065e415a61ac0fe2c4410d68a1

SHA1
7d511ea006c40d830bc1dbd5ad1b034222fc3a7b

SHA256
0c7489e15ee4424649cb044200fd6315756999da96a035128144c3d58a82a8ab

SHA512
3911e7f387f7c4855c87d621e32afd85e8873b4460a7be3e7d8bea4a84c60174724b8af672da3eff8d9958739157e62cb6d477c44f9256b5326d123c8aa96ecb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7082850.exe

Filesize
136KB

MD5
2fab25065e415a61ac0fe2c4410d68a1

SHA1
7d511ea006c40d830bc1dbd5ad1b034222fc3a7b

SHA256
0c7489e15ee4424649cb044200fd6315756999da96a035128144c3d58a82a8ab

SHA512
3911e7f387f7c4855c87d621e32afd85e8873b4460a7be3e7d8bea4a84c60174724b8af672da3eff8d9958739157e62cb6d477c44f9256b5326d123c8aa96ecb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7082850.exe

Filesize
136KB

MD5
2fab25065e415a61ac0fe2c4410d68a1

SHA1
7d511ea006c40d830bc1dbd5ad1b034222fc3a7b

SHA256
0c7489e15ee4424649cb044200fd6315756999da96a035128144c3d58a82a8ab

SHA512
3911e7f387f7c4855c87d621e32afd85e8873b4460a7be3e7d8bea4a84c60174724b8af672da3eff8d9958739157e62cb6d477c44f9256b5326d123c8aa96ecb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7082850.exe

Filesize
136KB

MD5
2fab25065e415a61ac0fe2c4410d68a1

SHA1
7d511ea006c40d830bc1dbd5ad1b034222fc3a7b

SHA256
0c7489e15ee4424649cb044200fd6315756999da96a035128144c3d58a82a8ab

SHA512
3911e7f387f7c4855c87d621e32afd85e8873b4460a7be3e7d8bea4a84c60174724b8af672da3eff8d9958739157e62cb6d477c44f9256b5326d123c8aa96ecb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7082850.exe

Filesize
136KB

MD5
2fab25065e415a61ac0fe2c4410d68a1

SHA1
7d511ea006c40d830bc1dbd5ad1b034222fc3a7b

SHA256
0c7489e15ee4424649cb044200fd6315756999da96a035128144c3d58a82a8ab

SHA512
3911e7f387f7c4855c87d621e32afd85e8873b4460a7be3e7d8bea4a84c60174724b8af672da3eff8d9958739157e62cb6d477c44f9256b5326d123c8aa96ecb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7083521.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7083521.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7083552.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7083771.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7083771.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7083927.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7085284.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7085284.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7085596.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7087375.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7087375.exe

Filesize
948KB

MD5
4c08c8c9d06c3d7a9a1d56c7b0e11e69

SHA1
c97dea458d857795271c2c4fa30998cbf8401927

SHA256
83d93889b75a1a84e387b0d6e5442d06d2a117abef3bf55fd91ca34fe1e6a1d0

SHA512
57cf0840b7e0e6180baadecd6db1dacc6bed5e808b3c4567644fed2356f42323d1e5d9983f6d2611f825cd0f6baeefa5ec7a33b5adebace4eb6cf86a4c20f8db

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7087858.exe

Filesize
1.1MB

MD5
74d6026d4da17211f7b5d28cc6f63154

SHA1
e9b83f9026b4ee38822e6f40a7baa4df8844cf1c

SHA256
2053fd14c8a0b9c5d291a1bceaf010faba146b641ec3151c23ad600d98f98c3d

SHA512
1be1dc43899b703412044d8913793558ceecf60927bc54b927b6162d456eef5eefa9fe4e4b166236d1b70fc762afec2a5754ea8e994a18b3080f23f6ccac9b1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7087858.exe

Filesize
1.1MB

MD5
74d6026d4da17211f7b5d28cc6f63154

SHA1
e9b83f9026b4ee38822e6f40a7baa4df8844cf1c

SHA256
2053fd14c8a0b9c5d291a1bceaf010faba146b641ec3151c23ad600d98f98c3d

SHA512
1be1dc43899b703412044d8913793558ceecf60927bc54b927b6162d456eef5eefa9fe4e4b166236d1b70fc762afec2a5754ea8e994a18b3080f23f6ccac9b1f

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
1.1MB

MD5
74d6026d4da17211f7b5d28cc6f63154

SHA1
e9b83f9026b4ee38822e6f40a7baa4df8844cf1c

SHA256
2053fd14c8a0b9c5d291a1bceaf010faba146b641ec3151c23ad600d98f98c3d

SHA512
1be1dc43899b703412044d8913793558ceecf60927bc54b927b6162d456eef5eefa9fe4e4b166236d1b70fc762afec2a5754ea8e994a18b3080f23f6ccac9b1f

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
1.1MB

MD5
74d6026d4da17211f7b5d28cc6f63154

SHA1
e9b83f9026b4ee38822e6f40a7baa4df8844cf1c

SHA256
2053fd14c8a0b9c5d291a1bceaf010faba146b641ec3151c23ad600d98f98c3d

SHA512
1be1dc43899b703412044d8913793558ceecf60927bc54b927b6162d456eef5eefa9fe4e4b166236d1b70fc762afec2a5754ea8e994a18b3080f23f6ccac9b1f

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
1.1MB

MD5
74d6026d4da17211f7b5d28cc6f63154

SHA1
e9b83f9026b4ee38822e6f40a7baa4df8844cf1c

SHA256
2053fd14c8a0b9c5d291a1bceaf010faba146b641ec3151c23ad600d98f98c3d

SHA512
1be1dc43899b703412044d8913793558ceecf60927bc54b927b6162d456eef5eefa9fe4e4b166236d1b70fc762afec2a5754ea8e994a18b3080f23f6ccac9b1f

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
1.1MB

MD5
74d6026d4da17211f7b5d28cc6f63154

SHA1
e9b83f9026b4ee38822e6f40a7baa4df8844cf1c

SHA256
2053fd14c8a0b9c5d291a1bceaf010faba146b641ec3151c23ad600d98f98c3d

SHA512
1be1dc43899b703412044d8913793558ceecf60927bc54b927b6162d456eef5eefa9fe4e4b166236d1b70fc762afec2a5754ea8e994a18b3080f23f6ccac9b1f

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
1.1MB

MD5
74d6026d4da17211f7b5d28cc6f63154

SHA1
e9b83f9026b4ee38822e6f40a7baa4df8844cf1c

SHA256
2053fd14c8a0b9c5d291a1bceaf010faba146b641ec3151c23ad600d98f98c3d

SHA512
1be1dc43899b703412044d8913793558ceecf60927bc54b927b6162d456eef5eefa9fe4e4b166236d1b70fc762afec2a5754ea8e994a18b3080f23f6ccac9b1f

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
1.1MB

MD5
74d6026d4da17211f7b5d28cc6f63154

SHA1
e9b83f9026b4ee38822e6f40a7baa4df8844cf1c

SHA256
2053fd14c8a0b9c5d291a1bceaf010faba146b641ec3151c23ad600d98f98c3d

SHA512
1be1dc43899b703412044d8913793558ceecf60927bc54b927b6162d456eef5eefa9fe4e4b166236d1b70fc762afec2a5754ea8e994a18b3080f23f6ccac9b1f

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
2.0MB

MD5
1b078c1a451ae9b22c8dd608da2728f6

SHA1
ef65d3c030c3971b0a374de9279f205de04c4a4e

SHA256
0faf678a6d8e62d1c2dd436c7db9c4c80205bbf36d015f7fe040acfea85cc232

SHA512
d194d501f8960506ed4ac6aaf8cc5b223abeb9fd9aefde77dc5097d28b559722f7ebab5c2b91910ee47c0db4f0aa48dc9d113f3b62ee19f59b0a89081ca18b46

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
2.0MB

MD5
1b078c1a451ae9b22c8dd608da2728f6

SHA1
ef65d3c030c3971b0a374de9279f205de04c4a4e

SHA256
0faf678a6d8e62d1c2dd436c7db9c4c80205bbf36d015f7fe040acfea85cc232

SHA512
d194d501f8960506ed4ac6aaf8cc5b223abeb9fd9aefde77dc5097d28b559722f7ebab5c2b91910ee47c0db4f0aa48dc9d113f3b62ee19f59b0a89081ca18b46

Download Submit
memory/392-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/392-192-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/428-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/428-260-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/432-113-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/452-239-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/560-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/560-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/624-133-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/664-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/824-205-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/884-188-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/884-185-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/888-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/892-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/948-112-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/948-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/948-198-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/948-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/996-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/996-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/996-213-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1056-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1204-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1240-62-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1260-229-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1264-225-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1284-167-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1284-173-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1372-241-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1372-253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1380-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1400-273-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1400-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1472-298-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1472-299-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1476-254-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1512-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1512-256-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1520-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1520-265-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1572-161-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1576-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1576-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1624-217-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1624-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1712-151-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-74-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1760-179-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1800-101-0x0000000000300000-0x000000000030D000-memory.dmp

Filesize
52KB

Download
memory/1812-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1812-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1812-206-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1928-215-0x00000000023B0000-0x00000000023CF000-memory.dmp

Filesize
124KB

Download
memory/1952-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1972-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1976-243-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1976-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1976-165-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1976-172-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2012-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2012-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2032-236-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download